Tag Archives: Data processing

Computerised reservation systems

Leave a reply

Computerised reservation systems

Outline of the Community (European Union) legislation about Computerised reservation systems

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Transport > Mobility and passenger rights

Computerised reservation systems

Document or Iniciative

Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009 on a Code of Conduct for computerised reservation systems and repealing Council Regulation (EEC) No 2299/89.

Summary

This Regulation aims to establish a harmonised code of conduct regarding the use of computerised reservation systems in order to ensure fair competition and to protect consumers’ rights.

Scope

This Regulation shall apply to:?

  • any computerised reservation system (CRS) * used or offered for use in the Community for air transport services;
  • rail-transport products * used or offered for use in the Community and which are incorporated alongside air-transport products into the principal display of a CRS.

RULES OF CONDUCT FOR SYSTEM VENDORS

Relationship with transport providers

A system vendor * may not:

  • impose unfair or discriminatory conditions in contracts concluded with participating carriers or their subscribers;
  • prevent a participating carrier from using other reservation systems.

Distribution facilities

All system vendors shall apply the same treatment to all participating carriers with regard to distributing their transport products and shall inform them of changes to their distribution facilities or loading procedures. Furthermore, a system vendor shall ensure that its distribution facilities * are clearly separated from the management and marketing facilities of participating carriers.

Displays

The presentation of data related to the transport products offered shall not mislead the consumer.

Flights operated by air carriers banned from operating in the Community shall be displayed in a clear and distinctive manner. The system vendor shall enable users to clearly identify the operating air carrier.

System vendors from third countries have an obligation to treat Community carriers in a manner that is equivalent to their treatment of national carriers. The Commission shall ensure that in third countries, Community air carriers are not treated in a discriminatory manner by system vendors. Should this be the case, the Commission may require system vendors operating in the Community to treat air carriers from third countries in a similar manner.

RULES OF CONDUCT FOR TRANSPORT PROVIDERS

Participating carriers shall submit accurate data to a CRS in such as way as to enable it to comply with the rules on displaying data.

A parent carrier, subject to reciprocity, shall not discriminate against a competing CRS by refusing, for example, to provide the latter with the same information on its own transport products that it provides to its own CRS.

A parent carrier shall not directly or indirectly favour its own CRS by obliging a subscriber to use a particular CRS to sell its transport products.

PROTECTION OF PERSONAL DATA

All system vendors shall be responsible for processing personal data. Personal data shall only be processed for the purpose of making reservations or issuing tickets for transport products.

AUDIT

System vendors shall submit an independently audited report every four years or upon request from the Commission.

INFRINGEMENTS AND PENALTIES

Where the Commission finds that there is an infringement of this Regulation, it may require the undertakings or associations of undertakings concerned to bring such an infringement to an end and impose on the latter fines not exceeding 10 % of the total turnover. The Commission shall first issue to the undertakings or associations of undertakings concerned a statement of objections.

This Regulation repeals Regulation (EEC)n° 2299/89.

Key terms of the Act
  • Transport product: the carriage of a passenger between two airports or rail stations;
  • Computerised reservation system or ‘CRS’: a computerised system containing information about, inter alia, schedules, availability and fares, of more than one air carrier, with or without facilities to make reservations or issue tickets, to the extent that some or all of these services are made available to subscribers;
  • System vendor: any entity and its affiliates which is or are responsible for the operation or marketing of a CRS;
  • Distribution facilities: facilities provided by a system vendor for the provision of information about air carriers’ and rail-transport operators’ schedules, availability, fares and related services and for making reservations and/or issuing tickets, and for any other related services.

References

Act Entry into force Deadline for transposition in the Member States Official Journal

Regulation (EC) No 80/2009

29.3.2009

OJ L 35 of 4.2.2009

?

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Leave a reply

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Outline of the Community (European Union) legislation about Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

External relations > Industrialised countries

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security (2007 PNR Agreement)

Document or Iniciative

Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)

Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement).

Summary

The purpose of sharing passenger name record (PNR) data is to combat terrorism and organised crime, protect people’s vital interests and prevent the flight of individuals from warrants or custody issued against them.

This Decision consists of the Agreement, the accompanying letter from the United States Department of Homeland Security (DHS) and the letter of the European Union (EU) in reply. Applicable for seven years, it requires airlines to transfer data to DHS concerning passengers transported to or from the United States. In return, DHS undertakes to guarantee a high level of protection. The Decision advocates the application of security measures on data transfers and calls on the parties to respect the fundamental rights and freedoms of passengers.

Type of passenger name record (PNR) data collected

DHS obtains PNR data from the air carriers, flight tickets and travel documents. The data collected concern:

  • APIS information (name, civil status, date of birth, nationality, country of residence, etc.);
  • the journey (date of reservation/issue of ticket, travel date, itinerary, baggage, seat number, travel status of passenger, travel agency used);
  • the flight ticket (free tickets, upgrades, ticket issue, price, number, form of payment used and billing);
  • PNR (record locator code, names on PNR, split/divided PNR information and all historical changes made to PNR);
  • all available contact information;
  • OSI (Other Service Information), SSI and SSR (Special Services) data.

“Sensitive” PNR data

Sensitive PNR data relate to ethnic origin, philosophical, political or religious beliefs, trade union membership and the health and sex life of the individual. Once this information has been received, DHS employs an automatic system to filter the sensitive codes and terms. DHS undertakes not to use this information and to delete it promptly.

However, where lives are in danger and the passenger has supplied such information, DHS is authorised to use it, provided that it maintains a log of access to these data and deletes them within thirty days. It is required to inform the European Commission (within 48 hours) that it has accessed these data.

PNR data protection and transmission

The letter from DHS accompanying the Agreement explains how the latter collects, uses and stores PNR data. It treats the information as sensitive and confidential. DHS may transmit it to the US authorities responsible for law enforcement, public security or counterterrorism and to countries capable of ensuring data protection, but only for the same purposes as those for which DHS received the data (mainly to combat terrorism and organised crime).

If the air carriers have a system complying with DHS technical requirements, they will transmit the data to DHS via a ‘push’ system. On the other hand, they will transmit the data via a ‘pull’ system if the carrier has not implemented such a system. It is for the carriers to initiate the transition to a ‘push’ system.

DHS receives PNR data 72 hours before the scheduled departure. It may ask to receive them earlier if necessary. It nevertheless undertakes to make this type of request judiciously and with proportionality.

DHS retains the data in an analytical database for 7 years, after which time the data are stored for a further 8 years, but in dormant, non-operational status. They may be accessed only with approval of a senior DHS official. The two parties will reach agreement to determine when PNR data must be destroyed. Only those related to a specific investigation in progress may be retained.

Right of access and right of inspection

DHS extends the American Privacy Act provisions to PNR in its possession. Administrative, civil and penal sanctions are therefore provided for in the event of failure to respect privacy and unauthorised disclosure.

The EU, US and the aviation industry cooperate so that passengers are informed about how the governments may use the information concerning them. DHS informs and replies to questions from the public on PNR data through publications in the Federal Register and standard notices made available and published on its website.

DHS undertakes not to disclose PNR data to the public (apart from the persons concerned).

Cooperation and reciprocity

DHS transmits analytical data flowing from PNR data to the European police and judicial authorities concerned, Europol and Eurojust. The European authorities do the same to the US authorities.

Both parties ensure that their systems work effectively. The Secretary of Homeland Security (DHS) and the Commissioner for Justice, Freedom and Security (EU) periodically review the application of this decision.

Background

The transfer to the US authorities of PNR data held by European airlines has been the subject of successive agreements. The most recent is dated 19 October 2006 and expired on 31 July 2007. For this reason, the Council decided (on 22 February 2007) to authorise the Presidency to open negotiations, which gave rise to the present Agreement.

This Agreement is applicable as of the date of signature. It enters into force on the first day of the month after the date on which the parties have notified one another that they have completed their internal procedures.

References

Act Entry into force – Date of expiry Deadline for transposition in the Member States Official Journal
Decision 2007/551/CFSP/JHA 23.7.2007 OJ L 204 of 4.8.2007

Related Acts

Council Decision 2006/729/CFSP/JHA

of 16 October 2006 on the signing of an Agreement between the EU and the USA on the processing and transfer of passenger name record (PNR) data by air carriers to the DHS – Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the DHS [Official Journal L 298 of 27.10.2006]

Council Decision 2004/496/EC

of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the DHS, Bureau of Customs and Border Protection – Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the DHS, Bureau of Customs and Border Protection [Official Journal L 183 of 20.5.2004].

Promoting data protection by privacy-enhancing technologies

Leave a reply

Promoting data protection by privacy-enhancing technologies

Outline of the Community (European Union) legislation about Promoting data protection by privacy-enhancing technologies

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Data protection copyright and related rights

Promoting data protection by privacy-enhancing technologies

Document or Iniciative

Communication from the Commission to the European Parliament and the Council on promoting data protection by privacy-enhancing technologies [COM(2007) 228 final – Not published in the Official Journal].

Summary

The Commission considers that privacy-enhancing technologies (PETs) should be developed and more widely used, in particular where personal data are processed through information and communication technology (ICT) networks. It considers that wider use of these technologies would improve the protection of privacy.

In its Communication on a strategy for a secure Information Society, it invites the private sector to “stimulate the deployment of security-enhancing products, processes and services to prevent and fight ID theft and other privacy-intrusive attacks”. Furthermore, in its Roadmap for a pan-European eIDM Framework by 2010, it indicates that one of the key principles governing electronic identity management is that “the system must be secure, implement the necessary safeguards to protect the user’s privacy, and allow its usage to be aligned with local interest and sensitivities”.

The purpose of this Communication, which follows on from the Communication on a strategy for a secure Information Society, the Roadmap for a pan-European eIDM Framework by 2010 and the First Report on the implementation of the Data Protection Directive, is to define the objectives so as to achieve better protection of privacy and to determine clear actions so as to achieve these goals by supporting the development of PETs and their use by data controllers and consumers.

First objective: to support the development of PETs

If PETs are to be widely used, there needs to be further design, development and manufacturing of PETs. Although these activities are already undertaken to a certain degree by the public and private sectors, the Commission considers that they should be stepped up. With this aim in mind, the need for PETs and their technological requirements should be identified and RTD activities should develop the tools. Finally, the Commission will encourage stakeholders to meet and discuss these technologies.

As the need for and technological requirements of PETs are identified, concrete action has to be taken to arrive at an end-product ready to use. In the future, under the 7th Framework Programme, the Commission intends to support other research and technological development (RTD) projects and large-scale pilot demonstrations to develop and stimulate the uptake of PETs. The Commission also calls on national authorities and on the private sector to invest in the development of PETs.

Second objective: to support the use of available PETs by data controllers

The Commission calls on all data controllers to incorporate and apply PETs in their processes more widely and systematically. For that purpose, the Commission will organise seminars with key actors of the ICT industry, and in particular PETs developers, with the aim of analysing their possible contribution to promoting the use of PETs among data controllers. It will also conduct a study on the economic benefits of PETs and disseminate its results in order to encourage enterprises, in particular SMEs, to use them.

Furthermore, the Commission will assess the need to develop standards regarding the lawful processing of data with PETs.

Firstly, the Commission will consider the need for respect of data protection rules to be taken into account in standardisation activities. It may invite the European Standardisation Organisations (CEN, CENELEC, ETSI) to assess specific European needs and subsequently to bring them to the international level by means of applying the current agreements between European and international standardisation organisations.

Secondly, the Commission considers that this is an area where coordination of national practice could contribute positively to promoting the use of PETs. It is calling on the Article 29 Working Party to continue its work in the field by including in its programme ongoing analysis of the needs for incorporating PETs in data-processing operations. This work should then produce guidelines for data-protection authorities to implement at national level through coordinated adoption of the appropriate instruments.

Moreover, many data-processing operations are conducted by public authorities in the exercise of their competences, both at national and at Community level. They are themselves bound to respect fundamental rights, including the right to protect personal data.

The Commission also considers that the public authorities should therefore set a clear example in this field. It calls on governments to ensure that data-protection safeguards are embedded in eGovernment applications, including through the widest possible use of PETs in their design and implementation. As for Community institutions and bodies, the Commission calls on them to comply with the requirements of Regulation (EC) No 45/2001. The European Data Protection Supervisor could contribute with his advice to drawing up internal rules relating to the processing of personal data.

Third objective: to encourage consumers to use PETs

A consistent strategy must be adopted to raise consumer awareness of the risks involved in processing their data and of the solutions that PETs may provide. With this in mind, the Commission intends to launch a series of EU-wide awareness-raising activities on PETs.

The main responsibility for conducting this activity falls within the realm of national data-protection authorities, which already have valuable experience in this area. The Commission calls on them to increase their awareness-raising activities to include information on PETs through all possible means within their reach. It also urges the Article 29 Working Party to coordinate national practice in a coherent work plan for awareness-raising on PETs and to serve as a meeting point for the sharing of good practice already in place at national level.

The Commission also intends to investigate the feasibility of an EU-wide system of privacy seals. With this in mind, and taking account of previous experience concerning seal programmes in other areas (e.g. environment, agriculture, security certification for products and services), it will conduct a dialogue with all the stakeholders concerned, including national data-protection authorities, industrial and consumer associations and standardisation bodies.